Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
695
Views
0
Helpful
5
Replies

PIX-PIX VPN

liam_b
Level 1
Level 1

‎01-10-2007 11:44 AM - edited ‎02-21-2020 02:48 PM

Just checking if anyone knows a way of connecting two sites that use the same subnet by VPN. Is it possible using just the two PIX firewalls?

Any help is appreciated.

Thanks

Labels:
0 Helpful
5 Replies 5

liam_b
Level 1
Level 1
In response to m.sir

‎01-11-2007 01:30 AM

Thanks for the reply. I had a look at the other topic, however the commands discussed are IOS router commands. Both of the PIX firewalls in my case are connected directly to Wireless broadband links and therefore there are no routers or other hardware at all between the two firewalls.

Regards

Derek

0 Helpful

5220
Level 4
Level 4
In response to liam_b

‎01-11-2007 02:04 AM

Hi Derek,

Yes, you can, but only with NAT.

On each subnet you perform a NAT to one (Public) IP, and you do the VPNs between those IPs.

In this case though, the stations from the different LANs will not see each other as in the same subnet.

PIX1:

nat 15 (inside) 10.0.0.0 255.255.255.0

global 15 (outside) IP-Public-1 netmask 255.255.255.255

access-list Crypto-Map permit ip host IP-Public-1 host IP-Public-2

PIX2:

nat 15 (inside) 10.0.0.0 255.255.255.0

global 15 (outside) IP-Public-2 netmask 255.255.255.255

access-list Crypto-Map permit ip host IP-Public-2 host IP-Public-1

So the VPN is between IP-Public-1 and IP-Public-2.

Please rate if this helped.

Regards,

Daniel

0 Helpful

Jon Marshall
Hall of Fame
Hall of Fame
In response to 5220

‎01-11-2007 02:43 AM

Daniel

I'm confused about this answer. If a host behind pix1 wants to talk to a host behind pix2 then how does it do that. If it talks to 10.0.0.x address it will just arp out locally. If it talks to the public ip address of pix2 then when it gets to pix2 how does that firewall know which 10.0.0.x address it is intended for ?

Surely what you would need to do is have a one to one mapping at each end ie. if pix1 clients need to talk to 10.0.0.5 & 10.0.0.6 at pix2 site then you need to present those addresses internally into pix site as different IP's which can then be translated back to their original addresses at the other end.

What am i missing ?

0 Helpful

5220
Level 4
Level 4
In response to Jon Marshall

‎01-11-2007 04:56 AM

Yup, my mistake there.

One end (LAN 1), the one that will receive the connections (servers) will need to have static mapping, ie:

static (inside,outside) IP1-Global IP1-Local netmask 255.255.255.255

static (inside,outside) IP2-Global IP2-Local netmask 255.255.255.255

.....................................................................

So, the other end (LAN 2) will access the hosts on with IP1-Global, IP2-Global..... BUT LAN1 will not be able to initiate connections with LAN 2.

The VPN will be between LAN1-Public IP and IP1-Global, IP2-Global and so on.

Please rate if this helped.

Regards,

Daniel

0 Helpful
Customers Also Viewed These Support Documents